MEDIUM 5.5

CVE-2026-44821: Microsoft Office Out-of-Bounds Read Information Disclosure

CVE-2026-44821 is a medium-severity memory flaw in Microsoft Office products that allows an attacker with local access to read sensitive information from memory without user interaction beyond opening a file. The vulnerability does not enable modification of data or disruption of the application, but the confidentiality risk is significant—particularly in multi-user or shared-device environments where an attacker can extract information resident in Office's memory footprint.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-125
Affected products
16 configuration(s)
Published / Modified
2026-06-09 / 2026-06-19

NVD description (verbatim)

Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

This out-of-bounds read vulnerability (CWE-125) exists in Microsoft Office's memory handling logic. An attacker can craft a malicious Office document that, when opened by a user, triggers an out-of-bounds memory access. Because the flaw permits reading beyond allocated buffer boundaries, sensitive data such as authentication tokens, file metadata, or previously processed document content may be disclosed. The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) indicates local attack vector, low complexity, no privilege requirement, and user interaction is required (opening the file), with high confidentiality impact confined to the Office process.

Business impact

Information disclosure through this vulnerability poses a direct risk to organizations handling sensitive documents in Office formats. Customer data, intellectual property, financial records, or personal information resident in memory during document processing could be extracted by an adversary. The impact scales with document volume and data sensitivity—organizations managing merger/acquisition documents, healthcare records, or financial filings face elevated exposure. On shared devices or corporate-managed endpoints with local attackers (insiders, compromised accounts), this becomes a targeted exfiltration vector.

Affected systems

Microsoft Office 2016, 2019, 2021, and 2024 are affected, along with Microsoft 365 Apps and Microsoft 365 subscriptions. SharePoint Server deployments using Office integration are also in scope. The breadth of affected versions reflects the longevity of this memory handling issue across Office's codebase. Organizations running any of these versions—whether on-premises or cloud-connected—should inventory exposure.

Exploitability

Exploitation requires local access and user interaction (opening a crafted document), which moderates the immediate threat landscape but does not eliminate it. In corporate environments, phishing campaigns delivering malicious Office attachments remain credible. Insider threats or compromised low-privilege accounts can also weaponize this vulnerability. The attack does not require elevation or complex setup; a single user opening a file is sufficient. Exploit code has not been publicly disclosed or included in known-exploit databases at time of publication, but the straightforward nature of out-of-bounds reads makes weaponization feasible once technical details circulate.

Remediation

Apply security updates from Microsoft targeting this vulnerability across affected Office versions. Verify patch availability through Microsoft's security bulletin and your organization's patch management system. For environments unable to patch immediately, reduce attack surface by disabling Office macro execution for untrusted sources, restricting local login privileges, and enforcing file execution policies that quarantine suspicious documents. Consider application allowlisting to limit Office document processing to known-good sources in high-risk scenarios.

Patch guidance

Check Microsoft's official security updates for Office 2016, 2019, 2021, and 2024, as well as Microsoft 365 Apps and SharePoint Server. Patches for this vulnerability should be available through Windows Update, Microsoft Update, or direct vendor downloads. Prioritize updates for systems processing externally sourced Office documents. Test patches in a non-production environment first, particularly for SharePoint Server deployments that may have integration dependencies. Confirm via Microsoft's security advisory that the patch version applied addresses CVE-2026-44821 specifically.

Detection guidance

Monitor for unusual Office process memory access patterns or crashes following document opens, particularly if unexpected. Endpoint Detection & Response (EDR) tools should flag attempts to read Office process memory from unprivileged contexts. File monitoring systems can log suspicious Office document opens correlated with subsequent information access. If available, enable Office telemetry to track crash dumps—out-of-bounds reads often generate access violation exceptions. Correlation of document delivery (email, file shares) with subsequent suspicious process behavior may surface attempted exploitation. Network segmentation limiting lateral movement from user desktops reduces the value of information exfiltrated through this channel.

Why prioritize this

Although CVSS 3.1 rates this as MEDIUM (5.5), organizational context warrants careful prioritization. The vulnerability's combination of broad product coverage, simple exploitation mechanics, and high confidentiality impact—particularly for organizations handling regulated or sensitive data—argues for treating it as HIGH priority in discovery and remediation workflows. The absence of required privilege elevation and the prevalence of Office use across enterprises elevate practical risk. Patch timelines should not be deferred simply because CVSS is sub-7.0; align patching cadence with data sensitivity and threat posture instead.

Risk score, explained

The CVSS 3.1 score of 5.5 (MEDIUM) reflects the requirement for local access and user interaction, which limits the attack surface compared to network-exploitable flaws. However, confidentiality impact is rated HIGH, acknowledging the sensitive nature of information potentially resident in Office memory. The absence of integrity or availability impact (I:N/A:N) correctly indicates this is an information disclosure rather than code execution or denial-of-service. Organizations processing high-value documents should apply severity adjustments in their risk frameworks to reflect business context—a financial services firm managing trading documents or a legal firm handling privileged communications may reasonably score this as HIGH within their environment.

Frequently asked questions

Can this vulnerability be exploited remotely?

No. The CVSS vector specifies local attack vector (AV:L), meaning an attacker must have local access to the affected system. Remote exploitation is not possible; however, phishing or social engineering to deliver a malicious Office document to a user on a target system remains a viable attack path.

Does applying a patch require disabling Office features?

Patches for out-of-bounds read flaws typically involve correcting buffer boundary checks and do not disable core features. However, always review Microsoft's advisory for any compatibility notes. Test in a staging environment before wide deployment, especially in environments with custom Office integrations or macros.

What types of information could be disclosed?

Out-of-bounds reads can expose data resident in the Office process's memory heap, including document buffers, cached authentication credentials, file metadata, and remnants of previously processed files. Exact disclosure depends on memory layout and what the attacker's crafted document causes to be read. Organizations handling financial, healthcare, or legally privileged documents face the highest risk.

Is this vulnerability actively exploited in the wild?

As of the publication date, this vulnerability is not listed in the Known Exploited Vulnerabilities (KEV) catalog and has not been confirmed exploited in the wild. However, the straightforward nature of out-of-bounds read exploitation means vigilance is warranted; organizations should not rely on 'no known exploitation' as justification to delay patching.

This analysis is provided for informational purposes and reflects ground-truth source data as of the publication date. Organizations must verify patch availability and applicability to their specific configurations through official Microsoft security advisories. SEC.co makes no warranty regarding the completeness or accuracy of third-party vendor statements. Always conduct independent security testing and risk assessment aligned with your organization's threat model and data classification policies. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).